Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp3434204iob; Sat, 7 May 2022 05:11:56 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx6aq6rVzX2lSq4Rq7flw+l408cpP9EolC37G38KK3pnKHZpzy/Ty1j1Ptx4ODsCKSCzNid X-Received: by 2002:a05:6a00:801:b0:50d:ec66:fac0 with SMTP id m1-20020a056a00080100b0050dec66fac0mr7959993pfk.23.1651925516143; Sat, 07 May 2022 05:11:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1651925516; cv=none; d=google.com; s=arc-20160816; b=DkFuFVEJrKbhg0dUM4Tno6UDw63ZhzcyHekSvYTAwFzqEzNBpEzQwCIEjXiu8keBJx BL1QbD5jmrkyQuvlXV+AaVozpyqka6aw0dM+SYHvO4LJC22T/J0ojVERxggZ+41tPy5C yzXRowi/8l7dNxwF6QdMdb/3r+cyIESAOog0VKxNhe+lMA2IgvgPnoIC6p6XwJfaY+z0 fbYcY6Nzh7HAlhKByGi56UgtmbZkVzcxM5bnFE5z0raXc3Wqd+9zeh3NHYAm4QTyT/Tg LWWfDp6//tZ82wpI7NIMI/4uKl9/Rfxgct9iXxzDPoAp9Jxh8a1TEOVDn5LCr4Yr2TzP /Fkw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=WrY3HsKWQNSyKWcHZ9De8AVQuhdOwlvdLddYWMvFUkY=; b=ieKabqjfVAZ7qhI6lJG7tEBfyc4NCh5Hcccy0DKRZI5w2LIJeAhMYECmSQ7PSSfVEh F5MDzm9v74712wnPTwlCA6hMjnuKDWUZiu6Cd32tnChjhSr8bvajzgSSPVSVzbHW33zT zcepGu8hQdowMydUGMaD0MJlhAuCu5nf428JeaVIh21J9XsrhA96dRTLD6i5tvKZHugC jWVxgWWp6KMUcK0R1ZtHC2xRPtLhvFHaPb/DLA2Cv5kAdg9v4fJBAd3KPxSioLgGhKqH yt82zaccAfceXNU2yQrD6SqrCgPJQ/7GmefiSeAkjiV/Pg+Zj1tTsVsXPCgzOlWWl9ig TrOg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=pOI5hGxD; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id j23-20020a632317000000b003aa502eb632si7710975pgj.113.2022.05.07.05.11.26; Sat, 07 May 2022 05:11:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=pOI5hGxD; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241939AbiEFWTJ (ORCPT + 99 others); Fri, 6 May 2022 18:19:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58762 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1444707AbiEFWTI (ORCPT ); Fri, 6 May 2022 18:19:08 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1E4AABD2; Fri, 6 May 2022 15:15:22 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id AB886611D1; Fri, 6 May 2022 22:15:21 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1E1F4C385A8; Fri, 6 May 2022 22:15:20 +0000 (UTC) Authentication-Results: smtp.kernel.org; dkim=pass (1024-bit key) header.d=zx2c4.com header.i=@zx2c4.com header.b="pOI5hGxD" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zx2c4.com; s=20210105; t=1651875318; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=WrY3HsKWQNSyKWcHZ9De8AVQuhdOwlvdLddYWMvFUkY=; b=pOI5hGxD8Nn68Qt3XNIHod2+bb2QHkAtR4AuuSM+f8Bkst7iStgI+5TfNODC78/iQ5PNQT LrDXwFoEMP6GhmvI3N4aU1p2eq54+cbjSBm2NFpXrOl/zyDtmYQLbfHtd4FFIlVcKbJ7K5 eu47V1/3izpL8l27LU88thCK+Q4nQMg= Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id e3d5def3 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Fri, 6 May 2022 22:15:18 +0000 (UTC) Date: Sat, 7 May 2022 00:15:16 +0200 From: "Jason A. Donenfeld" To: Thomas Gleixner Cc: Peter Zijlstra , Borislav Petkov , LKML , x86@kernel.org, Filipe Manana , linux-crypto@vger.kernel.org Subject: Re: [patch 3/3] x86/fpu: Make FPU protection more robust Message-ID: References: <20220501192740.203963477@linutronix.de> <20220501193102.704267030@linutronix.de> <87k0b4lydr.ffs@tglx> <87fslpjomx.ffs@tglx> <87czgtjlfq.ffs@tglx> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Hi Thomas, On Wed, May 04, 2022 at 09:05:01PM +0200, Jason A. Donenfeld wrote: > Hey Thomas, > > On Wed, May 04, 2022 at 06:45:45PM +0200, Thomas Gleixner wrote: > > add_disk_randomness() on !RT kernels. That's what made me look into this > > in the first place as it unearthed the long standing FPU protection > > bug. See the first patch in this thread. > > > > Possibly add_device_randomness() too, but I haven't seen evidence so far. > > It looks like it's being hit from add_input_randomness() via > input_handle_event() too. There are two positions we could take toward > this: > > One stance to take would be that if an event happens in an interrupt, > add_interrupt_randomness() should in theory already be siphashing in a > cycle counter so additional calls to add_{input,disk}_randomness() don't > contribute substantially (unless you assume the num field has some > entropic value). If that's compelling, then the next thing to do would > be adding a `if (in_interrupt()) return;` early on in some function, and > then we forever after impose a rule, "never mix into the input pool > directly from an irq". > > The other stance is that these input/disk events are relatively rare -- > compared to, say, a storm of interrupts from a NIC -- so mixing into the > input pool from there isn't actually a problem, and we benefit from the > quasi domain-specific accounting and the superior mixing function, > there, so keep it around. And the non-raw spinlock on the input pool > won't negatively affect RT from this context, because all its callers on > RT should be threaded. It turned out to be more complicated than this. Sometimes a given interrupt handler would have multiple calls to add_disk_randomness(), followed by a single call to add_interrupt_randomness(). Since those multiple calls all represent different things being measured, the second option of discarding them didn't seem like a good idea, but the first option seemed pretty bad too, since the status quo is way too much hashing from an irq handler. Further complicating things is the fact that add_{input,disk}_randomness() is never just called from irq or from elsewhere, as different drivers do different things. Luckily the way the entropy estimator currently works allows for a pretty straight forward compromise, which I posted here: https://lore.kernel.org/lkml/20220506215454.1671-2-Jason@zx2c4.com/ The upshot for this discussion is that it means we can probably get rid of hard irq FPU support. (This is in addition to the performance argument, in which tentatively it seemed like the difference wasn't /that/ much to justify the complexity.) I intend to mull this over a bit more, though, so if my patch is to make it in, it'll be for 5.19 and certainly not 5.18. So for 5.18, I think it's probably a good idea to apply the patches in this thread. And then for 5.19 we can take the next step. Jason